Hello, I am trying to spin up and EKS cluster in AWS using the code which was provided in the k8s workshop by @stocky-restaurant-98004. I have tried this in my personal Pulumi account (version v3.144.1 and was successful. But when I try to do this using the version v3.145.1, I get an error towards the end as follows:

aws:autoscaling:Group (pulumi-k8s):
    error:   sdk-v2/provider2.go:515: sdk.helper_schema: creating Auto Scaling Group (pulumi-k8s-28543f5): operation error Auto Scaling: CreateAutoScalingGroup, https response error StatusCode: 403, RequestID: 62ad2824-1a15-4be9-aa0f-8043dd76dd4b, api error AccessDenied: You are not authorized to use launch template: pulumi-k8s-launchTemplate-9c0530b: provider=aws@6.66.1
    error: 1 error occurred:
    	* creating Auto Scaling Group (pulumi-k8s-28543f5): operation error Auto Scaling: CreateAutoScalingGroup, https response error StatusCode: 403, RequestID: 62ad2824-1a15-4be9-aa0f-8043dd76dd4b, api error AccessDenied: You are not authorized to use launch template: pulumi-k8s-launchTemplate-9c0530b

  pulumi:pulumi:Stack (eks-dev):
    warning: resource plugin pulumiservice is expected to have version >=0.27.4, but has 0.0.1; the wrong version may be on your path, or this may be a bug in the plugin
    error: update failed
    error: eks:index:Cluster resource 'pulumi-k8s' has a problem: grpc: the client connection is closing

Any idea what is going on here?

The AWS errors can be a bit too generic sometimes. Without knowing what your IAM principal and AWS account/org looks like it could be many things that affect IAM. For example, you'd get this error when there's an org level SCP preventing you from creating unencrypted EBS volumes (by default the volume of EKS nodes is not encrypted).

@great-match-20206 Can you give me the link to the code? I wanna make sure it still at least works on my machine.

Ah, I think I am leaning towards your answer @quick-house-41860 as I do see an SCP for Unencrypted EBS Volumes in place, enforced for this particular AWS account. @stocky-restaurant-98004, the code works (as it works for my personal AWS account - no SCP for Unencrypted Volumes). This is the code location: https://github.com/pulumi/workshops/tree/main/k8s-better-together/eks-cluster I am going to try to turn off the SCP and give it a try. Merci beaucoup!

Alternatively you could also turn on encryption for the volume. Depending on what component you're using there should be similar settings like this one: https://www.pulumi.com/registry/packages/eks/api-docs/cluster/#noderootvolumeencrypted_nodejs

@quick-house-41860, I am using the awsx package, so I am guessing that I can pass this parameter... Thanks.

Aren't you using

pulumi-eks

? This line in your logs made me think so:

error: eks:index:Cluster resource 'pulumi-k8s' has a problem: grpc: the client connection is closing

If not, let me know what component you're using and I can help find the right settings

@quick-house-41860,

pulumi-k8s

is the name I gave to the configuration (of the EKS cluster). By the way, I used the setting `nodeRootVolumeEncrypted`set to true and now everything works, with the SCP (EBS volumes encrypted). Thanks for your help.

Great!